cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Consume service from secured CAP application in external UI5 application

Go to solution
mikolaj_k
Explorer

on ‎01-31-2023 9:29 AM

0 Kudos

Hello,

I have exposed a nodejs service in my CAP application and now I need access in external ui5 app (not included in mta of CAP app). The service restricted with 'authenticated-user' is working well, but when the service is restricted with a role I have no access and still 403 error. I am using client_id and client_secret from xsuaa instance of CAP app.

The roles are assigned in BTP.

How can I get access to the secured service?

Thanks in advance for your help.

screens from service.cds file

'authenticated-user' - READ works good

role restricted - need help

Show replies
Show replies
junwu
Active Contributor
‎01-31-2023 1:10 PM
0 Kudos

are they using same xsuaa instance? how does your xs-security look like?

mikolaj_k
Explorer
‎01-31-2023 1:23 PM
0 Kudos

to be honest I do not really know how to use the same xsuaa instance. Should I configure it just in mta file? I tried to use the xsuaa from CAP as an existing-service and did not work (maybe config was not ok)

xs-security from UI5 app:

{ "xsappname": "riskfiori", "tenant-mode": "dedicated", "description": "Security profile of called application", "authorities":["$ACCEPT_GRANTED_AUTHORITIES"], "foreign-scope-references": [ "$XSAPPNAME(application,risk-management).RiskViewer" ], "authorities-inheritance": true, "scopes": [ { "name": "uaa.user", "description": "UAA" } ], "role-templates": [ { "name": "Token_Exchange", "description": "UAA", "scope-references": [ "uaa.user" ] } ]}

my xs-security from CAP app (tried to grant authorities but did not work) and xsappname is set in mta file - risk-management:

{ "scopes": [ { "name": "$XSAPPNAME.RiskViewer", "description": "RiskViewer", "granted-apps" : [ "$XSAPPNAME(application,riskfiori)"], "grant-as-authority-to-apps" : [ "$XSAPPNAME(application, riskfiori)"] }, { "name": "$XSAPPNAME.RiskManager", "description": "RiskManager" } ], "attributes": [], "role-templates": [ { "name": "RiskViewer", "description": "generated", "scope-references": [ "$XSAPPNAME.RiskViewer" ], "attribute-references": [] }, { "name": "RiskManager", "description": "generated", "scope-references": [ "$XSAPPNAME.RiskManager" ], "attribute-references": [] } ], "oauth2-configuration": { "credential-types": [ "binding-secret", "x509" ], "redirect-uris": [ "https://*.applicationstudio.cloud.sap/**", "https://*.cfapps.us10.hana.ondemand.com/**" ] }}
gregorw
Active Contributor
‎01-31-2023 10:37 PM
0 Kudos

Are you in the same project as divyeaggarwal? He posted the question: How to access XSUAA enabled CAP Service destination in standalone SAP UI5 Application

mikolaj_k
Explorer
‎02-01-2023 7:23 AM
0 Kudos

Hi gregorw,

No, I'm not in the same project

mikolaj_k
Explorer
‎02-01-2023 12:39 PM
0 Kudos

It looks there is a problem with destination. Can you check if the token URL and credentials are set up correctly?

Former Member
‎02-02-2023 3:08 PM
0 Kudos

I saw your posted answer. I recommend raising your question again as a new question and follow our rules of engagement: https://community.sap.com/resources/rules-of-engagement. Feel free to take our Q&A tutorial at: https://developers.sap.com/tutorials/community-qa.html. With these tips you'll be able to prepare questions that draw responses from our members.

Thanks!

Answer

Accepted Solutions (1)

Accepted Solutions (1)

gregorw
Active Contributor
‎01-31-2023 10:29 PM

I would suggest that you use a destination with Authentication OAuth2UserTokenExchange. That way you can keep your XSUAA instances separate but let a user who has the correct roles assigned for your CAP backend being able to use it.

Show replies
Show replies
mikolaj_k
Explorer
‎02-01-2023 7:33 AM
0 Kudos

Ohh it really works! Thanks!

mikolaj_k
Explorer
‎02-01-2023 9:02 AM
0 Kudos

gregorw is it possible to access secured with roles service through postman?

gregorw
Active Contributor
‎02-01-2023 9:03 PM
0 Kudos

Do you want to test with a technical user or with a user from Identity Authentication / SAP ID Service?

mikolaj_k
Explorer
‎02-03-2023 7:24 AM
0 Kudos

Hi gregorw can you tell me how to test it with a technical user?

mikolaj_k
Explorer
‎02-24-2023 8:26 AM
0 Kudos

gregor.wolf can you help me? How can I test it with a technical user?

Answers (0)

Ask a Question